samba - Dec 2023 - Provisioning new AD Domain Controller

On Fri Dec  1 15:31:52 2023 Rowland Penny via samba <samba at
lists.samba.org> wrote:
>
> On Fri, 01 Dec 2023 14:45:09 -0500 Mark Foley via samba <samba at
lists.samba.org> wrote:
>
> > Moving on with the tests. Most are working, but a couple of the tests
> > for Verifying DNS,
> >
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_DNS_(Optional)
> > have issues. This one gives me a bit different output:
> > 
> > # host -t A dc1.hprs.locl.
> > dc1.hprs.locl has address 192.168.0.2
> > dc1.hprs.locl has address 24.142.169.13
> > 
> > The 192.68.0.2 was expected from the wiki example, but what about the
> > 24.142.169.13? That is the public IP for this server. I presume
> > that's OK?
>
> No, your AD DC should not be connected to the internet in anyway.
Well, for now it is because I am doing the configuration remotely to an off-site
location.  I am taking pains to insure there is no intrusion.  In fact, the
old/current DC has always been, and still is, connected to the Internet! When I
put this new one in place, it will not be.  It will be connected to the
firewall/router at 192.168.0.1. 
> > The next test fails:
> > 
> > # host -t PTR 192.168.0.2
> > Host 2.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
> > 
> > The zonecreate was successful, so why the failure? Leaving of the .2
> > also fails:
> > 
> > # host -t PTR 192.168.0
> > 192.168.0 has no PTR record
> > 
> > What did I do wrong?
>
> I have no idea, lets start with the contents of /etc/hosts and your
> smb.conf
/etc/hosts:

127.0.0.1               localhost
192.168.0.2             DC1.hprs.local DC1

/etc/samba/smb.conf:

[global]
        dns forwarder = 209.18.47.61
        netbios name = DC1
        realm = HPRS.LOCL
        server role = active directory domain controller
        workgroup = HPRS
        idmap_ldb:use rfc2307 = yes
        interfaces = lo, eth1
        bind interfaces only = Yes
               
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/hprs.locl/scripts
        read only = No
> > Finally, not a question/error yet, but in smb.conf [GLOBAL] I have:
> > 
> > dns forwarder = 209.18.47.61
>
> Well, it looks okay, but what is '209.18.47.61', it doesn't
appear to
> be respond to a ping.
>
> > 
> > That was stuck in there by the provision operation. This is an IP for
> > my ISP's name server.  I kept the ISP's nameservers in
> > /etc/resolv.conf because with just the wiki suggested entries:
> >
> > search hprs.locl
> > nameserver 192.168.0.2
> > 
> > I could not resolve public domain names.
>
> Ah, it is a dns server:
> host -t PTR 209.18.47.61
> 61.47.18.209.in-addr.arpa domain name pointer dns-cac-lb-01.rr.com.
>
> It is a dns problem, this is what is supposed to happen:
>
> A client asks for the dns info for dc1.hprs.locl and the Samba dns
> server should reply with the correct data, but if the client was to ask
> for the dns info for www.samba.org , the Samba dns server will not
> know it and should ask the forwarder for the info, which it should
> return and the Samba server would then pass this to the client.
>
> That doesn't appear to be happening on your DC, did you add the lines
> to your DC smb.conf that you didn't pass during the provision ?
>
> Rowland
Yes I did add those lines, as you can see from the smb.conf, although maybe I
didn't restart Samba after doing so.  I did that now, but it didn't make
any
difference with the 'host -t PTR 192.168.0.2' test. 

My current zonelist is:

  pszZoneName                 : 0.168.192.in-addr.arpa
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn                   : DomainDnsZones.hprs.locl

I could get to www.samba.org, probably because 209.18.47.61 was in the
resolve.conf. I've just now removed the ISP's nameservers and I can get
to
www.samba.org, so I suppose the dns forwarder is doing it's job.

When I actually deploy this DC to production should I remove 209.18.47.61 from
smb.conf? Replace it with 192.168.0.1 (the firewall/router)?

On the current DC there is no ISP DNS server in resolv.conf, but that system
uses BIND9_FLATFILE so the whole bind/named system is in place for public domain
name resolution. On this system I used Samba Internal DNS backend. bind is not
running on this new system. Nevertheless, as just mentioned, I can resolve
public
domains. After starting samba for the 1st time I should probably have removed
209.18.47.61 from resolv.conf. 

--Mark

On Fri, 01 Dec 2023 18:25:43 Mark Foley via samba <samba at
lists.samba.org> wrote:

On Fri Dec  1 15:31:52 2023 Rowland Penny via samba <samba at
lists.samba.org> wrote:
>
> On Fri, 01 Dec 2023 14:45:09 -0500 Mark Foley via samba <samba at
lists.samba.org> wrote:
>
> > Moving on with the tests. Most are working, but a couple of the tests
> > for Verifying DNS,
> >
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_DNS_(Optional)
> > have issues. This one gives me a bit different output:
> > 
> > # host -t A dc1.hprs.locl.
> > dc1.hprs.locl has address 192.168.0.2
> > dc1.hprs.locl has address 24.142.169.13
> > 
> > The 192.68.0.2 was expected from the wiki example, but what about the
> > 24.142.169.13? That is the public IP for this server. I presume
> > that's OK?
>
> No, your AD DC should not be connected to the internet in anyway.
Well, for now it is because I am doing the configuration remotely to an off-site
location.  I am taking pains to insure there is no intrusion.  In fact, the
old/current DC has always been, and still is, connected to the Internet! When I
put this new one in place, it will not be.  It will be connected to the
firewall/router at 192.168.0.1. 
> > The next test fails:
> > 
> > # host -t PTR 192.168.0.2
> > Host 2.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
> > 
> > The zonecreate was successful, so why the failure? Leaving of the .2
> > also fails:
> > 
> > # host -t PTR 192.168.0
> > 192.168.0 has no PTR record
> > 
> > What did I do wrong?
>
> I have no idea, lets start with the contents of /etc/hosts and your
> smb.conf
/etc/hosts:

127.0.0.1               localhost
192.168.0.2             DC1.hprs.local DC1

/etc/samba/smb.conf:

[global]
        dns forwarder = 209.18.47.61
        netbios name = DC1
        realm = HPRS.LOCL
        server role = active directory domain controller
        workgroup = HPRS
        idmap_ldb:use rfc2307 = yes
        interfaces = lo, eth1
        bind interfaces only = Yes
               
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/hprs.locl/scripts
        read only = No
> > Finally, not a question/error yet, but in smb.conf [GLOBAL] I have:
> > 
> > dns forwarder = 209.18.47.61
>
> Well, it looks okay, but what is '209.18.47.61', it doesn't
appear to
> be respond to a ping.
>
> > 
> > That was stuck in there by the provision operation. This is an IP for
> > my ISP's name server.  I kept the ISP's nameservers in
> > /etc/resolv.conf because with just the wiki suggested entries:
> >
> > search hprs.locl
> > nameserver 192.168.0.2
> > 
> > I could not resolve public domain names.
>
> Ah, it is a dns server:
> host -t PTR 209.18.47.61
> 61.47.18.209.in-addr.arpa domain name pointer dns-cac-lb-01.rr.com.
>
> It is a dns problem, this is what is supposed to happen:
>
> A client asks for the dns info for dc1.hprs.locl and the Samba dns
> server should reply with the correct data, but if the client was to ask
> for the dns info for www.samba.org , the Samba dns server will not
> know it and should ask the forwarder for the info, which it should
> return and the Samba server would then pass this to the client.
>
> That doesn't appear to be happening on your DC, did you add the lines
> to your DC smb.conf that you didn't pass during the provision ?
>
> Rowland
Yes I did add those lines, as you can see from the smb.conf, although maybe I
didn't restart Samba after doing so.  I did that now, but it didn't make
any
difference with the 'host -t PTR 192.168.0.2' test. 

My current zonelist is:

  pszZoneName                 : 0.168.192.in-addr.arpa
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn                   : DomainDnsZones.hprs.locl

I could get to www.samba.org, probably because 209.18.47.61 was in the
resolve.conf. I've just now removed the ISP's nameservers and I can get
to
www.samba.org, so I suppose the dns forwarder is doing it's job.

When I actually deploy this DC to production should I remove 209.18.47.61 from
smb.conf? Replace it with 192.168.0.1 (the firewall/router)?

On the current DC there is no ISP DNS server in resolv.conf, but that system
uses BIND9_FLATFILE so the whole bind/named system is in place for public domain
name resolution. On this system I used Samba Internal DNS backend. bind is not
running on this new system. Nevertheless, as just mentioned, I can resolve
public
domains. After starting samba for the 1st time I should probably have removed
209.18.47.61 from resolv.conf. 

--Mark

Later ...

I figure dns resolution, etc. will work; and when I move this to the in-house
LAN I'll change the dns forwarder to point to the firewall/router.

The only possible issue is that 'host -t PTR 192.168.0' fails even
though
'samba-tool dns zonecreate dc1.hprs.locl 0.168.192.in-addr.arpa' was
successful.

Unless you see some obvious obvious config error with this, I'll move on
with
the rest of the configation and joining a domain member. 

Thanks --Mark

Before attempting to join domain members with my newly provisioned AD/DC, there
are some difference between this new smb.conf and the one from the current DC
running Samba 4.8.2. Please advise if I need any of these:

[global]
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,winbind,
ntp_signd, kcc, dnsupdate
ntlm auth = yes
winbind use default domain = yes
template shell = /bin/bash
log level = 2 passdb:5 auth:10 winbind:2 lanman:10

    load printers = no
    printing = bsd   
    printcap name = /dev/null
    disable spoolss = yes

[Users]
    path = /redirectedFolders/Users
    comment = user folders for redirection
    read only = No

[share]
    path = /var/lib/samba/share
    comment = Shared folder
    read only = No

Note that the old/current DC was provisioned with BIND9_FLATFILE whereas the new
one uses Samba Internal DNS backend.

The old/current DC utilized redirected folders as a Windows Group Policy which
kept certain workstation folders (Desktop, Documents, Picutures, Favorites,
etc.)
on the DC, not on the Workstation. I expect to be able to do the same with the
new version Samba DC (4.18.8).

I don't know if passdb, auth, windbind, lanman logging works with the new
DC,
and maybe I don't need any of these unless there is a problem.

The 'load printers' bit was just to disable printing from the DC.

I don't know what [share] was used for and perhaps that is not needed.

My entire current samba-tool provision generated smb.conf is:

[global]
        dns forwarder = 209.18.47.61
        netbios name = DC1
        realm = HPRS.LOCL
        server role = active directory domain controller
        workgroup = HPRS
        idmap_ldb:use rfc2307 = yes
        interfaces = lo, eth1
        bind interfaces only = Yes
    
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/hprs.locl/scripts
        read only = No

As mentioned, I plan on adding [Users]

Thought?

--Thanks Mark